Thread: RE: [sleuthkit-users] Opening Application Files
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Brian S. <Br...@Pe...> - 2005-04-21 15:52:17
|
Thanks for all of your help, Brian. I have a follow up question (see below): > 6)=A0 If data files are recovered, is the only way to view their = content=20 > through the application that is associated with them?=A0 For example, = > must a Microsoft Money data file be viewed with the MS Money=20 > application in order to=A0see the content?=A0 I know when a hex = editor is=20 > used, it is impossible to see what is in the file.=A0 I have had = success=20 > with getting text from a file with a hex editor, however, with=20 > database apps I have no such luck.=A0 Is there some kind of tool that = > allows me to see the tables of a db, or do I need to open it in the=20 > application that is associated with it? If you want more than just strings, you will need an app that=20 understands the structure of the application file (just like you need a = tool that can understand the structure of a specific file system to=20 view a file system image file). Where can I find these apps? Are there any linux based apps that can = do this? Is there one app that can understand the structure of many = different application files? Thanks, Brian -----Original Message----- From: Brian Carrier [mailto:ca...@sl...] Sent: Thursday, April 21, 2005 7:01 AM To: Brian Starr Cc: sle...@li... Subject: Re: [sleuthkit-users] Opening Application Files On Apr 20, 2005, at 5:54 PM, Brian Starr wrote: > Hi everyone, > =A0 > I am new to the forensic world using TSK and other tools, and any = help=20 > is GREATLY appreciated!=A0 I know I have a lot of=A0questions, so = any=A0help=20 > is=A0received with gladness:=A0 > =A0 > =A0 > Foremost (I know this is not a foremost forum, so hopefully=A0some of = > you can help me.) > =A0 > I have recovered several different file types from fat32 unallocated=20 > disk space (dls file) using foremost.=A0 I have=A0some questions:=A0 > =A0 > 1)=A0 Why does foremost make many of the file sizes the max file size = as=20 > specified in the foremost.conf file?=A0 In other words, is their a = way=20 > to compress them down.=A0 For example, I retrieved about 1000 .doc = files=20 > (MS Office), but because of the max file size, the total disk space = is=20 > showing as 2 gigs, which cannot be the case.=A0 If it doesn't find the footer value (or if the application type doesn't = have a footer value), it goes until the maximum length. > =A02)=A0 Of the .doc files retrieved, half will not open in MS = Word.=A0 Why=20 > is that?=A0 I understand that other office application data files = have=20 > the same file headers.=A0 Is this because I do not have the right=20 > application to open them, or because the files are corrupted?=A0 If=20 > corrupted, is there any way to recover it, or view the content,=20 > outside of viewing the strings with a hex editor? foremost only looks for a basic signature value, which could be 2 or 4=20 bytes long. Random data is bound to eventually have the same value in=20 that location so you will get false positives. > =A03)=A0 None of the database files recovered with foremost open in = the=20 > application associated with them, whereas half of word/excel files=20 > open.=A0 Why is that?=A0 Are db files just more difficult to recover? Could just be a more common signature value or because database files=20 tend to be larger and more fragmented so you are not recovering the=20 full file. foremost recovers only files that are not fragmented. > =A0Sorter > =A0 > 4)=A0 When I run the sorter, I have the same file types in the 'data' = > and 'documents' directories (for instance, there will be .doc files = in=20 > both directories).=A0 What is the file type reported for those in the data directory? 'file' = puts things in 'data' if it doesn't know the type. > In addition, many common file types are labeled as unknown (for=20 > instance, a .pst file - MS Outlook). Is this because I do not have = the=20 > NIST NSRL database installed? It has nothing to do with NSRL. I thought pst was in the rules though. = If you send me the unknown file I can add more rules to the next=20 release (this goes for anyone who finds lots of stuff in unknown. I=20 haven't updated the rules in a while). > 5)=A0 Does the sorter pull files from unallocated as well as = allocated=20 > disk space? It pulls stuff from unallocated space IF there is a metadata structure=20 (i.e. inode / MFT entry etc.) that points to the data. It does not do=20 carving like foremost does. > Other Questions > =A0 > 6)=A0 If data files are recovered, is the only way to view their = content=20 > through the application that is associated with them?=A0 For example, = > must a Microsoft Money data file be viewed with the MS Money=20 > application in order to=A0see the content?=A0 I know when a hex = editor is=20 > used, it is impossible to see what is in the file.=A0 I have had = success=20 > with getting text from a file with a hex editor, however, with=20 > database apps I have no such luck.=A0 Is there some kind of tool that = > allows me to see the tables of a db, or do I need to open it in the=20 > application that is associated with it? If you want more than just strings, you will need an app that=20 understands the structure of the application file (just like you need a = tool that can understand the structure of a specific file system to=20 view a file system image file). > =A07)=A0 How could I view the content of .dat files?=A0 Is their a = specific=20 > tool, or do I view the strings with a hex editor? '.dat' is a generic extension. You really need to base it on what=20 'file' (or similar) tool tells you about the file type. brian |
|
From: Brian S. <Br...@Pe...> - 2005-04-21 15:56:51
|
One other question: Are there any tools that can recover fat32 fragmented files from = unallocated disk space, outside of what foremost and the sorter can do? Thanks, Brian -----Original Message----- From: Brian Carrier [mailto:ca...@sl...] Sent: Thursday, April 21, 2005 7:01 AM To: Brian Starr Cc: sle...@li... Subject: Re: [sleuthkit-users] Opening Application Files On Apr 20, 2005, at 5:54 PM, Brian Starr wrote: > Hi everyone, > =A0 > I am new to the forensic world using TSK and other tools, and any = help=20 > is GREATLY appreciated!=A0 I know I have a lot of=A0questions, so = any=A0help=20 > is=A0received with gladness:=A0 > =A0 > =A0 > Foremost (I know this is not a foremost forum, so hopefully=A0some of = > you can help me.) > =A0 > I have recovered several different file types from fat32 unallocated=20 > disk space (dls file) using foremost.=A0 I have=A0some questions:=A0 > =A0 > 1)=A0 Why does foremost make many of the file sizes the max file size = as=20 > specified in the foremost.conf file?=A0 In other words, is their a = way=20 > to compress them down.=A0 For example, I retrieved about 1000 .doc = files=20 > (MS Office), but because of the max file size, the total disk space = is=20 > showing as 2 gigs, which cannot be the case.=A0 If it doesn't find the footer value (or if the application type doesn't = have a footer value), it goes until the maximum length. > =A02)=A0 Of the .doc files retrieved, half will not open in MS = Word.=A0 Why=20 > is that?=A0 I understand that other office application data files = have=20 > the same file headers.=A0 Is this because I do not have the right=20 > application to open them, or because the files are corrupted?=A0 If=20 > corrupted, is there any way to recover it, or view the content,=20 > outside of viewing the strings with a hex editor? foremost only looks for a basic signature value, which could be 2 or 4=20 bytes long. Random data is bound to eventually have the same value in=20 that location so you will get false positives. > =A03)=A0 None of the database files recovered with foremost open in = the=20 > application associated with them, whereas half of word/excel files=20 > open.=A0 Why is that?=A0 Are db files just more difficult to recover? Could just be a more common signature value or because database files=20 tend to be larger and more fragmented so you are not recovering the=20 full file. foremost recovers only files that are not fragmented. > =A0Sorter > =A0 > 4)=A0 When I run the sorter, I have the same file types in the 'data' = > and 'documents' directories (for instance, there will be .doc files = in=20 > both directories).=A0 What is the file type reported for those in the data directory? 'file' = puts things in 'data' if it doesn't know the type. > In addition, many common file types are labeled as unknown (for=20 > instance, a .pst file - MS Outlook). Is this because I do not have = the=20 > NIST NSRL database installed? It has nothing to do with NSRL. I thought pst was in the rules though. = If you send me the unknown file I can add more rules to the next=20 release (this goes for anyone who finds lots of stuff in unknown. I=20 haven't updated the rules in a while). > 5)=A0 Does the sorter pull files from unallocated as well as = allocated=20 > disk space? It pulls stuff from unallocated space IF there is a metadata structure=20 (i.e. inode / MFT entry etc.) that points to the data. It does not do=20 carving like foremost does. > Other Questions > =A0 > 6)=A0 If data files are recovered, is the only way to view their = content=20 > through the application that is associated with them?=A0 For example, = > must a Microsoft Money data file be viewed with the MS Money=20 > application in order to=A0see the content?=A0 I know when a hex = editor is=20 > used, it is impossible to see what is in the file.=A0 I have had = success=20 > with getting text from a file with a hex editor, however, with=20 > database apps I have no such luck.=A0 Is there some kind of tool that = > allows me to see the tables of a db, or do I need to open it in the=20 > application that is associated with it? If you want more than just strings, you will need an app that=20 understands the structure of the application file (just like you need a = tool that can understand the structure of a specific file system to=20 view a file system image file). > =A07)=A0 How could I view the content of .dat files?=A0 Is their a = specific=20 > tool, or do I view the strings with a hex editor? '.dat' is a generic extension. You really need to base it on what=20 'file' (or similar) tool tells you about the file type. brian |
|
From: Barry J. G. <bg...@im...> - 2005-04-21 17:11:15
|
On Thu, 2005-04-21 at 08:56 -0700, Brian Starr wrote: > Are there any tools that can recover fat32 fragmented files from unallocated > disk space, outside of what foremost and the sorter can do? Brian, This is difficult at best. Consider what you are asking. If a file is deleted, or otherwise "unlinked" from it's directory entry (in the case of a FAT system), then the ability of the recovery tool to "follow" the file fragments is severely hampered. The file allocation table holds pointers that describe a particular file's cluster location(s). While (IIRC) the starting cluster is normally not zeroed from the dir entry, the remaining clusters *are* (talking about FAT here). This makes recovery of fragmented files difficult, *especially* if there are unallocated clusters from other (deleted) files intermixed with the one you are looking for. In that case, even having the starting cluster and the size of the file does not help. There's no way for the recovery tool to "follow the bread crumbs" around the remnants of other deleted files. Tools like "dls" can help with this, but in most cases, only when the fragmented deleted file clusters are surrounded by *allocated* file clusters. In which case "icat -r" is easier anyway (assuming the inode/dir entry info is still there...) I'm sure this does not help you much, but hopefully you can see why it's more difficult that it appears. If my explaination is "clear as mud", then just ignore the whole thing... ;-) Barry -- /*************************************** Special Agent Barry J. Grundy NASA Office of Inspector General Computer Crimes Division Goddard Space Flight Center Code 190 Greenbelt Rd. Greenbelt, MD 20771 (301)286-3358 **************************************/ |
|
From: youcef b. <ybi...@ya...> - 2005-04-21 23:19:37
|
> > Where can I find these apps? Are there any linux > based apps that can do > this? Is there one app that can understand the > structure of many different > application files? QuickView Plus does a good job of recognising and viewing several applicaitons format. it's also a prefered way of viewing MS offices suits specially if you are paranoid about viruses. regards youcef Send instant messages to your online friends http://uk.messenger.yahoo.com |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X